COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Similar documents
Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 17: Constructions of Public-Key Encryption

Lecture 11: Key Agreement

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Notes for Lecture 16

Lecture 7: CPA Security, MACs, OWFs

CPA-Security. Definition: A private-key encryption scheme

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

6.892 Computing on Encrypted Data September 16, Lecture 2

Lossy Trapdoor Functions and Their Applications

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

1 Number Theory Basics

Lecture 2: Program Obfuscation - II April 1, 2009

Modern symmetric-key Encryption

Lecture 5, CPA Secure Encryption from PRFs

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Introduction to Cybersecurity Cryptography (Part 4)

6.892 Computing on Encrypted Data October 28, Lecture 7

Bootstrapping Obfuscators via Fast Pseudorandom Functions

A New Constant-size Accountable Ring Signature Scheme Without Random Oracles

Introduction to Cybersecurity Cryptography (Part 4)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

On Two Round Rerunnable MPC Protocols

Lecture 4: Computationally secure cryptography

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

5.4 ElGamal - definition

Introduction to Cryptography. Lecture 8

Fully Homomorphic Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Universal Samplers with Fast Verification

Advanced Topics in Cryptography

Modern Cryptography Lecture 4

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Lecture 13: Private Key Encryption

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps

Advanced Cryptography 03/06/2007. Lecture 8

from Standard Lattice Assumptions

III. Pseudorandom functions & encryption

El Gamal A DDH based encryption scheme. Table of contents

Block ciphers And modes of operation. Table of contents

Lectures 2+3: Provable Security

Lecture 3: Interactive Proofs and Zero-Knowledge

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Scribe for Lecture #5

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Lecture 2: Perfect Secrecy and its Limitations

1 Public-key encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

On the Complexity of Compressing Obfuscation

Publicly Verifiable Software Watermarking

1 Indistinguishability for multiple encryptions

Evaluating 2-DNF Formulas on Ciphertexts

Notes for Lecture 17

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

A survey on quantum-secure cryptographic systems

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Question 1. The Chinese University of Hong Kong, Spring 2018

Classical hardness of the Learning with Errors problem

CS 395T. Probabilistic Polynomial-Time Calculus

Cryptographic Solutions for Data Integrity in the Cloud

Notes for Lecture 9. 1 Combining Encryption and Authentication

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption

Identity-Based Encryption from the Diffie-Hellman Assumption

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Linear Multi-Prover Interactive Proofs

8 Security against Chosen Plaintext

CTR mode of operation

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Practical Fully Homomorphic Encryption without Noise Reduction

Public-Key Encryption

Leakage-Resilient Public-Key Encryption from Obfuscation

Bounded Key-Dependent Message Security

Block Ciphers/Pseudorandom Permutations

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Computational security & Private key encryption

Standard Security Does Not Imply Indistinguishability Under Selective Opening

Short Exponent Diffie-Hellman Problems

G Advanced Cryptography April 10th, Lecture 11

15 Public-Key Encryption

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Output Compression, MPC, and io for Turing Machines

Perfectly-Secret Encryption

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model

Public-Seed Pseudorandom Permutations

A New Paradigm of Hybrid Encryption Scheme

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public-seed Pseudorandom Permutations EUROCRYPT 2017

Multi-Input Functional Encryption for Unbounded Arity Functions

Transcription:

COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to build fully homomorphic encryption FHE from indistinguishability obfuscation io. In previous applications, we use io in conjunction with one-way functions OWF. However, it seems that OWF alone is not sufficient in this case. We know that FHE implies collision resistance hash function CRHF [IKO 05]. Therefore, if we can obtain FHE from io and OWF, we will also get CRHF. However, there is an argument not a concrete proof that io and OWF alone is unlikely to imply CRHF [AS 15]. As such, we believe that in order to build FHE from io, we are going to need more than just OWF. 2 Construction of FHE from io 2.1 First Attempt Suppose we have a public key encryption PKE scheme consists of three algorithms: Gen PKE, Enc PKE, and Dec PKE. We are going to start of with a FHE scheme that looks very similar to what we have seen with other applications of io: Genλ: dk, ek Gen PKE λ, K Gen PRF λ. Sets ek as the encryption key and dk, K as the decryption key. Outputs ek, dk, K. Encek, m: Enc PKE ek, m Decdk, ct: Dec PKE dk, ct Evalop, ct 0, ct 1 : Outputs ObfP dk,k,ek op, ct 0, ct 1 where op is an operation +, and ObfP dk,k,ek is an obfuscation of the following program: P dk,k,ek op, ct 0, ct 1 : m b = Decdk, ct b b {0, 1} r = PRFK, op, ct 0, ct 1 Outputs Encek, m; r 1

Note that obfuscation only works with deterministic programs. Since the encryption algorithm is necessarily randomized, we need to explicitly calculate the random coin r and give it to Enc in P dk,k,ek. However, we do not know how to prove security with the above construction. Therefore, we will have to relax the definition of FHE. 2.2 Leveled FHE In a regular FHE scheme, the homomorphic operation should produce a ciphertext under the same encryption key as the two input ciphertexts. However, in a leveled FHE scheme, we will allow the homomorphic operation to produce a ciphertext under a different encryption key. So instead of just one pair of ek, dk, we now have ek 1, dk 1, ek 2, dk 2,..., ek n, dk n. If we add or multiply two ciphertexts under ek 1, we will get a ciphertext under the next level ek 2. As long as the users have all the decryption keys, they would be be able to decrypt any messages. If we want to perform operation on two ciphertexts at different levels, we can simply add an encryption of 0 under the appropriate ek to the ciphertext of lower level to push it up the levels. Our homomorphic evaluation now consists of the obfuscations of multiple programs one for each level of encryption. P i dk i,k i,ek i+1 op, ct 0, ct 1 : m b = Decdk i, ct b b {0, 1} r = PRFK i, op, ct 0, ct 1 Outputs Encek i+1, m; r However, this leveled FHE scheme still implies CRHF, and therefore is affected by the implausibility result which suggests that we cannot build it from just io and OWF [AS 15]. As such, we will need to modify this program. The last program in the sequence is P n 1. Our goal is to change this program so that instead of outputting the resulting ciphertext, it would always output an encryption of 0: 2

Q n 1 K n 1,ek n op, ct 0, ct 1 : r = PRFK n 1, op, ct 0, ct 1 Outputs Encek n, 0; r Since Q n 1 K n 1,ek n ignores the input messages completely, it does not need dk n 1. If we are able to change the last level of P into Q, then we will be able to work up the chain of programs and get rid of all dk i. 2.3 Indistinguishability of P and Q In order to argue indistinguishability between P and Q, we are going to impose some arbitrary ordering on the input of the programs: op, ct 0, ct 1. If we think of the input as a sequence of bits, then this can just be the normal ordering of the bits. We now define a new program R which will also include R n 1,t op, ct 0, ct 1 : r = PRFK n 1, op, ct 0, ct 1 If op, ct 0, ct 1 < t Outputs Encek n, 0; r Else m b = Decdk n 1, ct b Outputs Encek n, m; r R n 1,t outputs encryption of 0 for all inputs below the threshold t, and computes the resulting ciphertext correctly for the rest of the inputs. Notice that for t = 0 minimum value in the ordering, then R n 1,t is equivalent to P n 1. If the threshold is set at MAX, where MAX larger than any possible input values, then R n 1,t is functionally identical to Q n 1. We want to show that: Obf R n 1,t c Obf R n 1,t+1 Essentially, we will show that we can move the threshold t up or down 1 at a time and still preserve security. This will definitely change the functionality of R. However, we are going to argue that R n 1,t and R n 1,t+1 are still indistinguishable. Notice that R n 1,t and R n 1,t+1 differs on only one input t. On all other inputs, the two programs are identical. We can then prove indistinguishability using a series of hybrids: H 0 : The first hybrid corresponds to R n 1,t 3

H 1 : Let the threshold t = op, ct 0, ct 1 and K n 1 {t} be the punctured PRF key at t. r PRFK n 1, op, ct 0, ct 1 m = Decdk n 1, ct 0 op Decdk n 1, ct 1 ct Encek n, m ; r We now replace R n 1,t with a new program R n 1,t : R n 1,t dk n 1,K n 1 {t},ek n,ct op, ct 0, ct 1 : If op, ct 0, ct 1 = t Outputs ct Else r = PRFK n 1 {t}, op, ct 0, ct 1 If op, ct 0, ct 1 < t Outputs Encek n, 0; r Else m b = Decdk n 1, ct b Outputs Encek n, m; r We can see that R n 1,t is functionally identical to R n 1,t in H 0. Therefore, by io security, we can conclude that H 0 c H 1. H 2 : In this hybrid, we replace r with uniformly random value. We can argue that H 2 is indistinguishable from H 1 using puncturable PRF security. H 3 : We now set ct = Encek n, 0; r. Indistinguishability of H 3 and H 2 follows from security of the PKE scheme. r is not used anywhere except in the encryption of ct. So in H 2, we have a fresh encryption of m, and in H 3, we have a fresh encryption of 0. By PKE security, an adversary without the decryption key cannot tell the difference between these two ciphertexts. H 4 : We set r back to be PRFK n 1, op, ct 0, ct 1 and use punturable PRF security to argue that H 3 c H 4. H 5 : We replace R n 1,t with R n 1,t+1. Since the two are now functionally identical we replace the hardcoded value at t with encryption of 0 in H 3, we can conclude that H 4 c H 5 by io security. We have now shown that: Obf R n 1,t c Obf R n 1,t+1 4

So if we continue the chain from t = 0 to t = MAX, we will have: P n 1 = R n 1,0 c R n 1,1 c... c R n 1,MAX 1 c R n 1,MAX = Q n 1 So it seems that we have successfully shown that P n 1 is indistinguishable from Q n 1. However, there is a problem in this proof. Let l be the length of the ciphertexts produced and T be the size of the set of all t values. We have T = 2 l, so the advantage is 2 l neglλ. However, since negl only means that the function is smaller than any inverse polynomial, 2 l neglλ is not necessarily negligible. In addition, it is not hard to show that in any secure PKE scheme, the ciphertext size must be at least λ. Therefore, the advantage is 2 λ neglλ. Unfortunately, we do not know how to solve this problem. The only thing we can do is to assume that the indistinguishability between each R is very strong. 2.4 Subexponential io We give a new definition of io called subexponential io: Definition 1 Subexponential io. For all functionally equivalent circuits C 0, C 1 and for all PPT adversaries A, there exist a constant c 0, 1] such that P r[aobfc 0, λ] = 1] P r[aobfc 1, λ] = 1] < 1 2 λc This is a stronger definition of io. We do not know that this is possible. However, it turns out that for io and other cryptographic primitives, the best known attacks have had this kind of probability. So it is plausible to assume that there is no kind of attack with higher success probability. If we use subexponentially strong io and PRF, no attacker will be able to distinguish between H 0 and H 5 with probability better than 2 l 5 2 for level n, where λnc λ n is the security parameter for the level. To make the value 2 l 5 2 small, we λnc are going to set λ n >> l 1 c λ n 1 1 c λ n 1 is the security parameter of the previous level. We are raising the security parameter for the next level to be bigger than the previous level. However, this means that λ n is exponentially big in n, which means that our obfuscated programs and ciphertexts have to also be exponentially big. We can fix this problem by introducing another primitive. 2.5 Lossy Encryption Until now, we have not use anything more than io and OWF. As mentioned before, FHE is unlikely to follows from just io and OWF. Therefore, we are going to need a new primitive called lossy encryption. 5

Definition 2 Lossy Encryption. A lossy encryption scheme consists of four algorithms: Genλ dk, ek Encek, m ct Decdk, ct m Gen Lossy λ ek There is a strong requirement that the distribution of the encryption of 0 and 1 under ek Gen Lossy λ must be identical. For all ek Gen Lossy λ and ciphertext ct: P r[encek, 0 = ct] = P r[encek, 1 = ct] Clearly this cannot be the case for ek generated with dk from Genλ, since we will not be able to decrypt otherwise. Basically, ek Gen Lossy is a lossy key since it loses all information about the message. For security we requires that: ek Gen Lossy λ c ek : ek, dk Genλ We can build lossy encryption from Decisional Diffie-Hellman DDH, factoring, and learning with errors LWE assumptions though the distribution of ciphertext for 0 and 1 under lossy key are only statistically indistinguishable, not identical, in the case of LWE. We now go back to the proof and, before we switch from P to R, replace the encryption key with a lossy key. So P n 1 will be replaced with: P n 1,Lossy : dk n 1,K n 1,ek Lossy n m b = Decdk n 1, ct b r = PRFK n 1, op, ct 0, ct 1 Outputs Encek Lossy n, m; r We can make this change because P n 1 does not include the corresponding decryption key for ek n. Now we can repeat the sequence of hybrids, except that we do not need to invoke PKE security between H 2 and H 3 since the encryption key has been replaced with a lossy key, which has identical distribution for encryption of 0 and 1. We no longer invokes security of the encryption scheme for every step of the hybrid, only from P n 1 to P n 1,Lossy. At a high level, we have separated the dependency between the security parameter and the input size. Let λ 0 be the security parameter of the encryption scheme. We will now set security of io and puncturable PRF to be λ 1 >> l 1 c λ 0 1 c. 6

2.6 The Rest of the Proof We have now proved security of P n 1. From here, we can prove the security of P n 2, because once we have switched to Q n 1, we no longer have dk n 1. We can then repeat the process to replace the program at each level with Q. Once we get to level 0, we can simply prove security using PKE security. 3 From Level FHE to Full FHE Note that we have already known how to build leveled FHE under the LWE assumption before. However, we do not know how to turn this into the full FHE scheme we wanted. In both leveled FHE constructions from LWE and io, the number of levels are bounded. However, it turns out that we can turn the level FHE construction from io into a full FHE scheme with subexponential hardness assumption. Briefly, the instead obfuscate a program P which takes in a level n and outputs the obfuscated program P n for that level. P n : Outputs ObfP n Here dk n 1, K n 1, and ek n are generated by a PRF. At the end, we have a program of fix size that we can use to generate ObfP n for a new level by feeding it n. References [AS 15] Asharov, G. and Segev, G. Limits on the power of indistinguishability obfuscation and functional encryption. Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science, 191-209, 2015. 1, 2 [IKO 05] Ishai, Y., Kushilevitz, E., and Ostrovsky, R. Sufficient conditions for collision-resistant hashing. Theory of Cryptography Conference, 445-456, 2005. 1 7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback